Perhaps people should write their passwords down where no one will ever see it but them. Take your average IT guy, for example. If they're going to write down a password, they'll choose somewhere that only they will be guaranteed to ever see it. Their penis.

I've got so many logins and passwords I HAVE to write them down. My little black book, in other words. It's either that, or use the same login and password for every program/website/computer I use which is just stupid.

Usually i just pick a random name from history and add a couple of numbers to it, eg. Methuselah206. Who the hell is going to guess that?

...but understandable. I've got at least twelve passwords for various systems at work, each of which requires me to change the password every 90 days, many of them don't allow for any previously used passwords to be used and a few of the systems talk to each other to confirm you're not using the same password for multiple systems. I downloaded a password keeper app (which of course requires a password to enter) to help keep everything straight but when I go into my coworkers offices it's common to see a password or two written on a post-it note on the bottom of the screen.

gopher321:I've got so many logins and passwords I HAVE to write them down. My little black book, in other words. It's either that, or use the same login and password for every program/website/computer I use which is just stupid.

Usually i just pick a random name from history and add a couple of numbers to it, eg. Methuselah206. Who the hell is going to guess that?

If the hackers are guessing, they're doing it wrong.

Longer is better, and hopefully whoever is storing the password is responsible about it.

I just did an online password security training... gotta take it every year. I think just about everyone within a radious of 3 cubicles heard me mumble BS when I read meat@35 is more secure than mycatsnameistimmy because the latter did not have any symbols.

Try logging into a corporate bank account. Four different user-id or password fields including the last field, which requires you to enter your own password with one that you have to read from a token key (if you can find it).

Saiga410:I just did an online password security training... gotta take it every year. I think just about everyone within a radious of 3 cubicles heard me mumble BS when I read meat@35 is more secure than mycatsnameistimmy because the latter did not have any symbols.

Well, there are a lot of variables to the "how secure is it?" question. Does your attacker have access to your hash and therefore unlimited attempts to solve for it? Does your attacker know that you use only letters? Do you, in fact, have a cat named "timmy"?

Given a brute-force password cracker and nothing else, yes, more is better, typically without regard to complexity. Given an attacker with insider knowledge, though, complexity and obscurity wins the day. Though, ultimately, both will fail without adherence to proper security procedures such as safeguarding and aging.

As the network admin, I have to remember dozens of passwords. If you can't remember 2-3 passwords you're an idiot. If any of the desktop support techs sees a written password on a post-it or hidden under the keyboard I've instructed them to lock the user's account immediately and change it.

Here's a tip: use sentences. For example, This1is2my3gmail4account5Password6. Really long, so it is very difficult to crack. Easy to remember.

While true, it's good practice to avoid anything that a person with access to your Facebook page might be able to guess. For instance, if you are a member of a duck hunting club and Like (TM) Ducks Unlimited, a password such as "huntingducksiscool" may not be the wisest choice.

That article also appears to be illustrating another common security failure, and this one isn't sitting behind the keyboard.

No human being would ever, ever, ever have chosen that random mishmash of a password. That suggests to me that the admin of this system is from the school of thought that says 'Users, left to their own devices, choose shiatty passwords. I do not want shiatty passwords. Therefore, I will not allow users to choose their passwords. I will randomly generate uncrackably-complex passwords and assign them to the users.'

The result is that the user is issued a string of characters that he or she is required to use on a daily basis, and that he or she is never going to be able to memorize in a million years. And the inevitable result is that he or she writes the password down.

At which point the admin will blame the user for poor password security.

KickahaOta:That suggests to me that the admin of this system is from the school of thought that says 'Users, left to their own devices, choose shiatty passwords

He's right.

Have you ever run an audit on user passwords in an organization? My experience has always been that > 25% of passwords are weak enough to be broken by tools like Cain or l0phtcrack in less than 48 hours.

KickahaOta:At which point the admin will blame the user for poor password security.

With the exception of a few more sensitive users, I have no problem with people writing down their passwords, however, they are clearly told that they are entirely responsible for the physical security of that password and they are responsible by policy for the implications of it being misused if its lost or stolen, so they better damn well lock it up if they write it down.

SnarfVader:When employees are forced to change their password often they will use easily guessed passwords. It's high time companies invested in other means for authentication that don't rely on passwords.

Two factor works pretty good, but employees lose shiat constantly. The last place I was at had that for certain IT workers, and even they lost the damn things. Nerds / geeks who know how important the stuff is can't keep track of it? You're doomed with regular users.

Tr0mBoNe:Of course I write down my password. The nerds in the IT closet make me change it every 6 weeks.

Yeah, what they don't realize is that when you require an uppercase letter, number, 12 digits in length, a non-standard character, make you change it every month, every tool you use has a different login and password, and they won't allow you to reuse any of your last two dozen passwords that people all but have to write passwords down and put them on a sticky on the corner of their monitor.

jbtilley:Tr0mBoNe: Of course I write down my password. The nerds in the IT closet make me change it every 6 weeks.

Yeah, what they don't realize is that when you require an uppercase letter, number, 12 digits in length, a non-standard character, make you change it every month, every tool you use has a different login and password, and they won't allow you to reuse any of your last two dozen passwords that people all but have to write passwords down and put them on a sticky on the corner of their monitor.

Achieves the exact opposite of what they were going for.

Well, to be fair, what 'they' are going for is to show they have some security plan in place. It's the users fault for having the password posted on the monitor. Welcome to the corporate C.Y.A. world.

Vegan Meat Popsicle:Have you ever run an audit on user passwords in an organization? My experience has always been that > 25% of passwords are weak enough to be broken by tools like Cain or l0phtcrack in less than 48 hours.

Which is why you limit the system to one attempt per second (or 2). The user won't notice and you just made brute forcing it take 20000001 times as long. A 15 minute lock out at 3 errors and it will take over two hour to guess the super safe password "t".

gopher321:I've got so many logins and passwords I HAVE to write them down. My little black book, in other words. It's either that, or use the same login and password for every program/website/computer I use which is just stupid.

Usually i just pick a random name from history and add a couple of numbers to it, eg. Methuselah206. Who the hell is going to guess that?

Go and get Password Safe from SourceForge and thank me later. It can be installed either on a machine or thumbnails.